Example 1: Mobile IP
Support Using the System as a GGSN/FA

For Mobile IP
applications, the system can be configured to perform the function of a Gateway
GPRS Support Node/Foreign Agent (GGSN/FA) and/or a Home Agent (HA). This
example describes what is needed for and how the system performs the role of
the GGSN/FA. Examples 2 and 3 provide information on using the system to
provide HA functionality.

The system's GGSN/FA
configuration for Mobile IP applications is best addressed with three contexts
(one source, one AAA, and one Mobile IP destination) configured as shown in the
figure that follows.

Important:

A fourth context
that serves as a destination context must also be configured if Reverse
Tunneling is disabled in the FA service configuration. Reverse Tunneling is
enabled by default.

The source context
will facilitate the GGSN service(s), and the Ga and Gn interfaces. The AAA
context will be configured to provide foreign AAA functionality for subscriber
PDP contexts and facilitate the AAA interfaces. The MIP destination context
will facilitate the FA service(s) and the Gi interface(s) from the GGSN/FA to
the HA.

The optional
destination context will allow the routing of data from the mobile node to the
packet data network by facilitating a packet data network (PDN) interface. This
context will be used only if reverse tunneling is disabled.

Information Required

Prior to configuring
the system as shown in this example, there is a minimum
amount of information required. The following sections
describe the information required to configure the source and destination
contexts.

Source Context Configuration

The following table lists the information that is required to
configure the source context.

Table 1 Required Information for Source Context Configuration

Required Information

Description

Source context name

An identification string from 1 to 79 characters
(alpha and/or numeric) by which the source context will be recognized by the
system.
Important: The name of the source context should be
the same as the name of the context in which the FA-context is configured if a
separate system is being used to provide GGSN/FA functionality.

Gn Interface Configuration

Gn interface name

An identification string between 1 and 79
characters (alpha and/or numeric) by which the interface will be recognized by
the system.

Multiple names are needed if multiple interfaces will be
configured.

IP address and subnet

These will be assigned to the Gn interface.

Multiple addresses and/or subnets are needed if multiple
interfaces will be configured.

Physical port number

The physical port to which the interface will be
bound.

Ports are identified by the chassis slot number where the line
card resides in, followed by the number of the physical connector on the line
card.

For example, port 17/1 identifies connector number 1 on the
card in slot 17.A single physical port can facilitate multiple interfaces.

Physical port description

An identification string from 1 to 79 characters
(alpha and/or numeric) by which the physical port will be recognized by the
system.

Multiple descriptions are needed if multiple ports will be
used.

Physical ports are configured within the source context and
are used to bind logical Gn interfaces.

Gateway IP address

Used when configuring static routes from the Gn
interface(s) to a specific network.

GGSN service Configuration

GGSN service name

An identification string from 1 to 63 characters
(alpha and/or numeric) by which the GGSN service will be recognized by the
system.

Multiple names are needed if multiple GGSN services will be
used.

Accounting context

The name of the context configured on the system
in which the processing of GTPP accounting records is performed.

The context name is an identification string from 1 to 79
characters (alpha and/or numeric).

By default, the system attempts to use the same context as the
one in which the GGSN service is configured.

UDP port number for GTPC traffic

The port used by the GGSN service and the SGSN
for communicating GTPC sockets for GTPv1.

The UDP port number and can be any integer value from 1 to
65535. The default value is 2123.

Public Land Mobile Network (PLMN)
Identifiers

Mobile Country Code (MCC): The MCC can be
configured to any integer value from 0 to 999.

Mobile Network Code (MNC): The MNC can be
configured to any integer value from 0 to 999.

SGSN information (optional)

The GGSN can be configured with information
about the SGSN(s) that it is to communicate with.

This includes the SGSN's IP address and subnet mask and
whether or not the SGSN is on a foreign PLMN.Multiple SGSNs can be configured.

GGSN charging characteristics (CC)
(optional)

Behavior Bits: If charging
characteristics will be configured on the GGSN, behavior bits for the following
conditions can be configured:

GGSN use of the
accounting server specified by the profile index

GGSN rejection of
Create PDP Context Request messages

GGSN ceases
sending accounting records

Each value must be a unique bit from 1 to 12 to represent the
12 possible behavior bits allowed for in the standards. The default
configuration is disabled (0).

Profile Index: If the GGSN's charging
characteristics will be used for subscriber PDP contexts, profile indexes can
be modified/configured for one or more of the following conditions:

The number of
statistics container changes is met or exceeded causing an accounting record to
be closed. The number can be configured from 1 to 15. The default is 4.

The up and/or
downlink traffic volume limits are met or exceeded within a specific time
interval causing a partial record to be generated. The up and downlink volumes
can be configured from 0 to 1000000 octets. The interval can be configured from
60 to 40000000 seconds.

The up and/or
downlink traffic volume limits are met or exceeded causing an accounting record
to be closed. The up and downlink volumes can be configured from 100000 to
4000000000 octets.

The number of SGSN
switchovers is met or exceeded causing an accounting record to be closed. The
number can be configured from 1 to 15. The default is 4.

Specific tariff
times within a day are reached causing an accounting record to be closed. Up to
four times can be configured using the hour of the day (1-24) and the minute
(1-60).

The system supports the configuration of up to 16 profile
indexes numbered 0 through 15.

PLMN policy

The GGSN can be configured treat communications
from unconfigured SGSNs in one of the following ways:

Treat the SGSN as
if it is on a foreign PLMN

Treat the SGSN as
if it is on a home PLMN

Reject
communications from unconfigured SGSNs (default)

Ga Interface Configuration

Ga interface name

An identification string from 1 to 79 characters
(alpha and/or numeric) by which the interface will be recognized by the system.

Multiple names are needed if multiple interfaces will be
configured.

IP address and subnet

These will be assigned to the Ga interface.

Multiple addresses and/or subnets are needed if multiple
interfaces will be configured.

Physical port number

The physical port to which the interface will be
bound. Ports are identified by the chassis slot number where the line card
resides in, followed by the number of the physical connector on the line card.
For example, port 17/1 identifies connector number 1 on the card in slot 17.

A single physical port can facilitate multiple interfaces.

Physical port description

An identification string between 1 and 79
characters (alpha and/or numeric) by which the physical port will be recognized
by the system.

Multiple descriptions are needed if multiple ports will be
used.

Physical ports are configured within the source context and
are used to bind logical Ga interfaces.

Gateway IP address

Used when configuring static routes from the Ga
interface(s) to a specific network.

GTPP Configuration

Charging gateway address

The IP address of the system's GGSN interface.

CGF server information

IP address: The IP address of the CGF
server to which the GGSN will send accounting information

.Multiple CGFs can be configured.

Priority: If more than on CGF is
configured, this is the server's priority. It is used to determine the rotation
order of the CGFs when sending accounting information.

The priority can be configured to any integer value from 1 to
1000. The default is 1.

Maximum number of messages: The maximum
number of outstanding or unacknowledged GTPP messages allowed for the CGF.

The maximum number can be configured to any integer value from
1 to 256. The default is 256.

GCDR optional fields

The following optional fields can be
specified/configured in CDRs generated by the GGSN:

diagnostics

duration-ms: the
time specified in the mandatory Duration field is reported in milliseconds

local-record-sequence-number

plmn-id

AAA Context Configuration

Table 2 Required Information for AAA Context Configuration

Required Information

Description

AAA context name

An identification string from 1 to 79 characters
(alpha and/or numeric) by which the AAA context will be recognized by the
system.
Important: If a separate system is used to provide HA
functionality, the AAA context name should match the name of the context in
which the AAA functionality is configured on the HA machine.

APN Configuration

APN name

An identification string by which the APN will be
recognized by the system. The name can be from 1 to 62 alpha and/or numeric
characters and is not case sensitive. It may also contain dots ( . ) and/or
dashes ( - ).

Multiple names are needed if multiple APNs will be used.

Accounting mode

Selects the accounting protocol. GTPP or RADIUS
are supported. In addition, accounting can be completely disabled. The default
is to perform accounting using GTPP.
Important: The examples discussed in this chapter
assumes GTPP is used.

Authentication protocols used

Specifies how the system handles authentication:
using a protocol (such as CHAP, PAP, or MSCHAP), or not requiring any
authentication.

APN charging characteristics (CC) (optional)

Specifies whether or not the GGSN accepts the CC
from the SGSN for home, visiting, and roaming subscribers.

By default the GGSN accepts the CC from the SGSN for all three
scenarios.

If the GGSN is to use its own CC for any of these scenarios,
then each scenario requires the specification of behavior bits and a profile
index to use.

Important: The profile index parameters are configured
as part of the GGSN service.

Domain Name Service (DNS) information (optional)

If DNS will be used for the APN, IP addresses can
be configured for primary and secondary DNS servers.

IP destination context name

The name of the system destination context to use
for subscribers accessing the APN. If no name is specified, the system
automatically uses the system context in which the APN is configured.

Maximum number of PDP contexts

The maximum number of PDP contexts that are
supported for the APN.

The maximum number can be configured to any integer value from 1
to 1500000. The default is 1000000.

PDP type

The type of PDP contexts supported by the APN. The
type can be IPv4, IPv6, both IPv4 and IPv6, or PPP. IPv4 support is enabled by
default.

Verification selection mode

The level of verification that will be used to
ensure a MS's subscription to use the APN. The GGSN uses any of the following
methods:

No verification and
MS supplies APN

No verification and SGSN supplies APN

Verified by SGSN (default)

Mobile IP Configuration

Home Agent IP Address: The IP address of an
HA with which the system will tunnel subscriber Mobile IP sessions.

Configuring this information tunnels all subscriber Mobile IP
PDP contexts facilitated by the APN to the same HA unless an individual
subscriber profile provides an alternate HA address.

Mobile IP Requirement: The APN can be
configured to require Mobile IP for all sessions it facilitates. Incoming PDP
contexts that do/can not use Mobile IP are dropped.

AAA Interface Configuration

AAA interface name

This is an identification string from 1 to 79
characters (alpha and/or numeric) by which the interface will be recognized by
the system.

Multiple names are needed if multiple interfaces will be
configured.

IP address and subnet

These will be assigned to the AAA interface.

Multiple addresses and/or subnets are needed if multiple
interfaces will be configured.

Physical port number

This specifies the physical port to which the
interface will be bound. Ports are identified by the chassis slot number where
the line card resides in, followed by the number of the physical connector on
the line card. For example, port 17/1 identifies connector number 1 on the card
in slot 17.

A single physical port can facilitate multiple interfaces.

Physical port description

This is an identification string from 1 to 79
characters (alpha and/or numeric) by which the physical port will be recognized
by the system.

Multiple descriptions are needed if multiple ports will be used.

Physical ports are used to bind logical AAA interfaces.

Gateway IP address

Used when configuring static routes from the AAA
interface(s) to a specific network.

Foreign RADIUS Server Configuration

Foreign RADIUS Authentication server

IP Address: Specifies the IP address of the
Foreign RADIUS authentication server the system will communicate with to
provide subscriber authentication functions.

Multiple addresses are needed if multiple RADIUS servers.

Foreign RADIUS servers are configured with in the source
context. Multiple servers can be configured and each can be assigned a
priority.

Shared Secret: The shared secret is a
string between 1 and 15 characters (alpha and/or numeric) that specifies the
key that is exchanged between the RADIUS authentication server and the source
context.

A shared secret is needed for each configured RADIUS server.

UDP Port Number: Specifies the port used by
the source context and the RADIUS authentication server for communications. The
UDP port number can be any integer value between 1 and 65535. The default value
is 1812.

Foreign RADIUS Accounting server
(optional)

IP Address: Specifies the IP address of the
foreign RADIUS accounting server that the source context will communicate with
to provide subscriber accounting functions.

Multiple addresses are needed if multiple RADIUS servers will be
configured.RADIUS accounting servers are configured within the source context.

Multiple servers can be configured and each assigned a priority.

Shared Secret: The shared secret is a
string between 1 and 15 characters (alpha and/or numeric) that specifies the
key that is exchanged between the foreign RADIUS accounting server and the
source context.

A shared secret is needed for each configured RADIUS server.

UDP Port Number: Specifies the port used by
the source context and the foreign RADIUS Accounting server for communications.
The UDP port number can be any integer value between 1 and 65535. The default
value is 1813.

RADIUS attribute NAS Identifier

Specifies the name by which the source context
will be identified in the Access-Request message(s) it sends to the RADIUS
server. The name must be from 1 to 32 alpha and/or numeric characters and is
case sensitive.

RADIUS NAS IP address

Specifies the IP address of the system's AAA
interface. A secondary address can be optionally configured.

Mobile IP Destination Context Configuration

This is an identification string between 1 and 79
characters (alpha and/or numeric) by which the Mobile IP destination context
will be recognized by the system.
Important: For this configuration, the destination
context name should
not match the domain name of a specific domain. It should,
however, match the name of the context in which the HA service is configured if
a separate system is used to provide HA functionality.

Gi Interface Configuration

Gi interface name

This is an identification string between 1 and 79
characters (alpha and/or numeric) by which the interface will be recognized by
the system.

Multiple names are needed if multiple interfaces will be
configured.

Gi interfaces are configured in the destination context.

IP address and subnet

These will be assigned to the Gi interface.

Multiple addresses and/or subnets are needed if multiple
interfaces will be configured.

Physical port number

This specifies the physical port to which the
interface will be bound. Ports are identified by the chassis slot number where
the line card resides in, followed by the number of the physical connector on
the line card. For example, port 17/1 identifies connector number 1 on the card
in slot 17.

A single physical port can facilitate multiple interfaces.

Physical port description(s)

This is an identification string between 1 and 79
characters (alpha and/or numeric) by which the physical port will be recognized
by the system.

Multiple descriptions will be needed if multiple ports will be
used.

Physical ports are configured within the destination context and
are used to bind logical Gi interfaces.

Gateway IP address(es)

Used when configuring static routes from the Gi
interface(s) to a specific network.

FA Service Configuration

FA service name

This is an identification string between 1 and 63
characters (alpha and/or numeric) by which the FA service will be recognized by
the system

.Multiple names are needed if multiple FA services will be used.

FA services are configured in the destination context.

UDP port number for Mobile IP traffic

Specifies the port used by the FA service and the
HA for communications. The UDP port number can be any integer value between 1
and 65535. The default value is 434.

Security Parameter Index (indices)
Information

HA IP address: Specifies the IP address of
the HAs with which the FA service communicates. The FA service allows the
creation of a security profile that can be associated with a particular HA.

Index: Specifies the shared SPI between the
FA service and a particular HA. The SPI can be configured to any integer value
between 256 and 4294967295.Multiple SPIs can be configured if the FA service is
to communicate with multiple HAs.

Secrets: Specifies the shared SPI secret
between the FA service and the HA. The secret can be between 1 and 127
characters (alpha and/or numeric).An SPI secret is required for each SPI
configured.

Hash-algorithm: Specifies the algorithm
used to hash the SPI and SPI secret. The possible algorithms that can be
configured are MD5 per RFC 1321 and keyed-MD5 per RFC 2002. The default is
hmac-md5.A hash-algorithm is required for each SPI configured.

FA agent advertisement lifetime

Specifies the time (in seconds) that an FA agent
advertisement remains valid in the absence of further advertisements.

The time can be configured to any integer value between 1 and
65535. The default is 9000.

Number of allowable unanswered FA advertisements

Specifies the number of unanswered agent
advertisements that the FA service will allow during call setup before it will
reject the session.

The number can be any integer value between 1 and 65535. The
default is 5.

Maximum mobile-requested registration lifetime
allowed

Specifies the longest registration lifetime that
the FA service will allow in any Registration Request message from the mobile
node.

The lifetime is expressed in seconds and can be configured
between 1 and 65534. An infinite registration lifetime can be configured by
disabling the timer. The default is 600 seconds.

Registration reply timeout

Specifies the amount of time that the FA service
will wait for a Registration Reply from an HA.

The time is measured in seconds and can be configured to any
integer value between 1 and 65535. The default is 7.

Number of simultaneous registrations

Specifies the number of simultaneous Mobile IP
sessions that will be supported for a single subscriber.

The maximum number of sessions is 3. The default is 1.

NOTE: The system will only support multiple Mobile IP
sessions per subscriber if the subscriber's mobile node has a static IP
address.

Mobile node re-registration requirements

Specifies how the system should handle
authentication for mobile node re-registrations.

The FA service can be configured to always require
authentication or not. If not, the initial registration and de-registration
will still be handled normally.

Maximum registration lifetime

Specifies the longest registration lifetime that
the HA service will allow in any Registration Request message from the mobile
node.

The time is measured in seconds and can be configured to any
integer value between 1 and 65535. An infinite registration lifetime can also
be configured by disabling the timer. The default is 600.

Maximum number of simultaneous bindings

Specifies the maximum number of "care-of"
addresses that can simultaneously be bound for the same user as identified by
NAI and Home address.

The number can be configured to any integer value between 1 and
5. The default is 3.

Optional Destination Context Configuration

The following table lists the information required to configure the
optional destination context. As discussed previously, this context is required
if: 1) reverse tunneling is disabled in the FA service, or 2) if access control
lists (ACLs) are used

Important:

If ACLs are used, the destination context would only consist of the
ACL configuration. Interface configuration would not be required.

Table 4 Required Information for Destination Context Configuration

Required Information

Description

Destination context name

This is an identification string between 1 and
79 characters (alpha and/or numeric) by which the destination context will be
recognized by the system.
Important: For this configuration, the destination
context name should
not match the domain name of a specific domain.

PDN Interface Configuration

PDN interface name

This is an identification string between 1 and
79 characters (alpha and/or numeric) by which the interface will be recognized
by the system.

Multiple names are needed if multiple interfaces will be
configured.PDN interfaces are configured in the destination context.

IP address and subnet

These will be assigned to the PDN interface.

Multiple addresses and/or subnets are needed if multiple
interfaces will be configured.

Physical port number

This specifies the physical port to which the
interface will be bound. Ports are identified by the chassis slot number where
the line card resides in, followed by the number of the physical connector on
the line card. For example, port 17/1 identifies connector number 1 on the card
in slot 17.

A single physical port can facilitate multiple interfaces.

Physical port description

This is an identification string between 1 and
79 characters (alpha and/or numeric) by which the physical port will be
recognized by the system.Multiple descriptions are needed if multiple ports
will be used.

Physical ports are configured within the destination context
and are used to bind logical PDN interfaces.

Gateway IP address(es)

Used when configuring static routes from the PDN
interface(s) to a specific network.

How This
Configuration Works

The following figure
and the text that follows describe how this configuration with a single source
and destination context would be used by the system to process a Mobile IP data
call.

Figure 2. Call Processing When Using the system as a GGSN/FA

A Create PDP
Context Request message for a subscriber session is sent from the SGSN to the
GGSN service over the Gn interface. The message contains information such as
the PDP Type, APN, and charging characteristics.

The GGSN
determines whether or not it is configured with an APN identical to the one
specified in the message. If so, it determines how to process the session based
on the configuration of the APN. In this case, it is determined that Mobile IP
must be used. From the APM configuration, the system also determines the
context in which the FA service is configured.

If subscriber
authentication is required, the GGSN authenticates the subscriber by
communicating with a RADIUS server over the AAA interface.

The GGSN returns
an affirmative Create PDP Context Response to the SGSN over the Gn interface.
The home address assigned to the mobile as part of the response is 0.0.0.0
indicating that it will be reset with a Home address after the PDP context
activation procedure.

The FA component
of the GGSN sends a Agent Advertisement message to the MS. The message contains
the FA parameters needed by the mobile such as one or more card-of addresses.
The message is sent as an IP limited broadcast message (i.e. destination
address 255.255.255.255), however only on the requesting MS's TEID to avoid
broadcast over the radio interface.

The MS sends a
Mobile IP Registration request to the GGSN/FA. This message includes either the
MS's static home address or it can request a temporary address by sending
0.0.0.0 as its home address. Additionally, the request must always include the
Network Access Identifier (NAI) in a Mobile-Node-NAI Extension.

The FA forwards
the registration request from the MS to the HA while the MS's home address or
NAI and TEID are stored by the GGSN. In response the HA sends a registration
response to the FA containing the address assigned to the MS.

The FA extracts
the home address assigned to the MS by the HA from the response and the GGSN
updates the associated PDP context. The FA then forwards it to the MS
(identified by either the home address or the NAI and TEID).

The GGSN issues
a PDP context modification procedure to the SGSN in order to update the PDP
address for the MS.

Upon termination
of the subscriber session, the GGSN sends GGSN charging detail records to the
CGF using GTPP over the Ga interface.

Example 2: Mobile IP
Support Using the System as an HA

The system supports
both Simple and Mobile IP. For Mobile IP applications, the system can be
configured to perform the function of a GGSN/FA and/or a HA. This example
describes what is needed for and how the system performs the role of the HA.
Example number 1 provides information on using the system to provide GGSN/FA
functionality.

The system's HA
configuration for Mobile IP applications requires that at least two contexts
(one source and one destination) be configured as shown in the following
figure.

Figure 3. Mobile IP
Support Using the system as an HA

The source context
will facilitate the HA service(s), the Gi interfaces from the FA, and the AAA
interfaces. The source context will also be configured to provide Home AAA
functionality for subscriber sessions. The destination context will facilitate
the PDN interface(s).

Information Required

Prior to configuring the system as shown in this example, there is a
minimum amount of information required. The following sections describe the
information required to configure the source and destination contexts.

Source Context Configuration

The following table lists the information that is required to
configure the source context.

Table 5 Required Information for Source Context Configuration

Required Information

Description

Source context name

An identification string from 1 to 79 characters
(alpha and/or numeric) by which the source context will be recognized by the
system.

Gi Interface Configuration

Gi interface name

This is an identification string between 1 and
79 characters (alpha and/or numeric) by which the interface will be recognized
by the system.

Multiple names are needed if multiple interfaces will be
configured.

Gi interfaces are configured in the destination context.

IP address and subnet

These will be assigned to the Gi interface.

Multiple addresses and/or subnets are needed if multiple
interfaces will be configured.

Physical port number

This specifies the physical port to which the
interface will be bound. Ports are identified by the chassis slot number where
the line card resides in, followed by the number of the physical connector on
the line card. For example, port 17/1 identifies connector number 1 on the card
in slot 17.

A single physical port can facilitate multiple interfaces.

Physical port description(s)

This is an identification string between 1 and
79 characters (alpha and/or numeric) by which the physical port will be
recognized by the system.

Multiple descriptions will be needed if multiple ports will be
used.

Physical ports are configured within the destination context
and are used to bind logical Gi interfaces.

Gateway IP address

Used when configuring static routes from the Gi
interface(s) to a specific network.

HA service Configuration

HA service name

An identification string from 1 to 63 characters
(alpha and/or numeric) by which the HA service will be recognized by the
system.

Multiple names are needed if multiple HA services will be
used.

HA services are configured in the destination context.

UDP port number for Mobile IP traffic

The port used by the HA service and the FA for
communications. The UDP port number and can be any integer value from 1 to
65535. The default value is 434.

Mobile node re-registration requirements

Specifies how the system should handle
authentication for mobile node re-registrations.The HA service can be
configured as follows:

Always require
authentication

Never require
authentication
Important: The initial registration and
de-registration will still be handled normally)

Never look for
mn-aaa extension

Not require
authentication but will authenticate if mn-aaa extension present.

FA-to-HA Security Parameter Index
Information

FA IP address: The HA service allows the
creation of a security profile that can be associated with a particular FA.

This specifies the IP address of the FA that the HA service
will be communicating with.

Multiple FA addresses are needed if the HA will be
communicating with multiple FAs.

Index: Specifies the shared SPI between
the HA service and a particular FA. The SPI can be configured to any integer
value between 256 and 4294967295.

Multiple SPIs can be configured if the HA service is to
communicate with multiple FAs.

Secret: Specifies the shared SPI secret
between the HA service and the FA. The secret can be between 1 and 127
characters (alpha and/or numeric).

An SPI secret is required for each SPI configured.

Hash-algorithm: Specifies the algorithm
used to hash the SPI and SPI secret. The possible algorithms that can be
configured are MD5 per RFC 1321 and keyed-MD5 per RFC 2002. The default
algorithm is
hmac-md5.

A hash-algorithm is required for each SPI configured.

Mobile Node Security Parameter
Index Information

Index: Specifies the shared SPI between
the HA service and a particular FA. The SPI can be configured to any integer
value between 256 and 4294967295.

Multiple SPIs can be configured if the HA service is to
communicate with multiple FAs.

Secret: Specifies the shared SPI secret
between the HA service and the FA. The secret can be between 1 and 127
characters (alpha and/or numeric).

An SPI secret is required for each SPI configured.

Hash-algorithm: Specifies the algorithm
used to hash the SPI and SPI secret. The possible algorithms that can be
configured are MD5 per RFC 1321 and keyed-MD5 per RFC 2002. The default
algorithm is
hmac-md5.

A hash-algorithm is required for each SPI configured.

Replay-protection process: Specifies how
protection against replay-attacks is implemented. The possible processes are
nonce and timestamp. The default is timestamp with a tolerance of 60 seconds.

A replay-protection process is required for each mobile
node-to-HA SPI configured.

Maximum registration lifetime

Specifies the longest registration lifetime that
the HA service will allow in any Registration Request message from the mobile
node.

The time is measured in seconds and can be configured to any
integer value between 1 and 65535. An infinite registration lifetime can also
be configured by disabling the timer. The default is 600.

Maximum number of simultaneous bindings

Specifies the maximum number of "care-of"
addresses that can simultaneously be bound for the same user as identified by
NAI and Home address.

The number can be configured to any integer value between 1
and 5. The default is 3.

AAA Interface Configuration

AAA interface name

This is an identification string from 1 to 79
characters (alpha and/or numeric) by which the interface will be recognized by
the system.

Multiple names are needed if multiple interfaces will be
configured.

AAA interfaces will be configured in the source context.

IP address and subnet

These will be assigned to the AAA interface.

Multiple addresses and/or subnets are needed if multiple
interfaces will be configured.

Physical port number

This specifies the physical port to which the
interface will be bound. Ports are identified by the chassis slot number where
the line card resides in, followed by the number of the physical connector on
the line card. For example, port 17/1 identifies connector number 1 on the card
in slot 17.

A single physical port can facilitate multiple interfaces.

Physical port description

This is an identification string from 1 to 79
characters (alpha and/or numeric) by which the physical port will be recognized
by the system.

Multiple descriptions are needed if multiple ports will be
used.

Physical ports are used to bind logical AAA interfaces.

Gateway IP address

Used when configuring static routes from the AAA
interface(s) to a specific network.

Home RADIUS Server Configuration

Home RADIUS Authentication server

IP Address: Specifies the IP address of
the home RADIUS authentication server the system will communicate with to
provide subscriber authentication functions.

Multiple addresses are needed if multiple RADIUS servers.

Home RADIUS servers are configured with in the source context.
Multiple servers can be configured and each can be assigned a priority.

Shared Secret: The shared secret is a
string between 1 and 15 characters (alpha and/or numeric) that specifies the
key that is exchanged between the RADIUS authentication server and the source
context.

A shared secret is needed for each configured RADIUS server.

UDP Port Number: Specifies the port used
by the source context and the RADIUS authentication server for communications.
The UDP port number can be any integer value between 1 and 65535. The default
value is 1812.

Home RADIUS Accounting server
(optional)

IP Address: Specifies the IP address of
the home RADIUS accounting server that the source context will communicate with
to provide subscriber accounting functions.

Multiple addresses are needed if multiple RADIUS servers will
be configured.RADIUS accounting servers are configured within the source
context.

Multiple servers can be configured and each assigned a
priority.

Shared Secret: The shared secret is a
string between 1 and 15 characters (alpha and/or numeric) that specifies the
key that is exchanged between the home RADIUS accounting server and the source
context.

A shared secret is needed for each configured RADIUS server.

UDP Port Number: Specifies the port used
by the source context and the home RADIUS Accounting server for communications.
The UDP port number can be any integer value between 1 and 65535. The default
value is 1813.

RADIUS attribute NAS Identifier

Specifies the name by which the source context
will be identified in the Access-Request message(s) it sends to the RADIUS
server. The name must be from 1 to 32 alpha and/or numeric characters and is
case sensitive.

RADIUS NAS IP address

Specifies the IP address of the system's AAA
interface. A secondary address can be optionally configured.

Default Subscriber Configuration

"Default" subscriber's IP context name

Specifies the name of the egress context on the
system that facilitates the Gi interfaces.
Important: For this configuration, the IP context
name should be identical to the name of the destination context.

Destination Context Configuration

The following table lists the information required to configure the
destination context.

Table 6 Required Information for Destination Context Configuration 3

Required Information

Description

Destination context name

This is an identification string between 1 and 79
characters (alpha and/or numeric) by which the destination context will be
recognized by the system.
Important: For this configuration, the destination
context name should
not match the domain name of a specific domain.

PDN Interface Configuration

PDN interface name

This is an identification string between 1 and 79
characters (alpha and/or numeric) by which the interface will be recognized by
the system.

Multiple names are needed if multiple interfaces will be
configured.

PDN interfaces are configured in the destination context.

IP address and subnet

These will be assigned to the PDN interface.

Multiple addresses and/or subnets are needed if multiple
interfaces will be configured.

Physical port number

This specifies the physical port to which the
interface will be bound. Ports are identified by the chassis slot number where
the line card resides in, followed by the number of the physical connector on
the line card. For example, port 17/1 identifies connector number 1 on the card
in slot 17.

A single physical port can facilitate multiple interfaces.

Physical port description

This is an identification string between 1 and 79
characters (alpha and/or numeric) by which the physical port will be recognized
by the system. Multiple descriptions are needed if multiple ports will be used.

Physical ports are configured within the destination context and
are used to bind logical PDN interfaces.

Gateway IP address(es)

Used when configuring static routes from the PDN
interface(s) to a specific network.

IP Address Pool Configuration

IP address pool name

Each IP address pool is identified by a name. The
pool name can be between 1 and 31 alpha and/or numeric characters and is case
sensitive.

IP address pools are configured in the destination context(s).
Multiple address pools can be configured within a single context.

IP pool addresses

An initial address and a subnet, or a starting
address and an ending address, are required for each configured pool. The pool
will then consist of every possible address within the subnet, or all addresses
from the starting address to the ending address.

The pool can be configured as public, private, or static.

How This
Configuration Works

The following figure
and the text that follows describe how this configuration with a single source
and destination context would be used by the system to process a Mobile IP data
call.

Figure 4. Call Processing When Using the system as an HA

A subscriber
session from the FA is received by the HA service over the Gi interface.

The HA service
determines which context to use to provide AAA functionality for the session.
This process is described in the How the System Selects Contexts section
located in the
Understanding the System Operation and Configuration
chapter of the
System
Administration Guide.

For this
example, the result of this process is that the HA service determined that AAA
functionality should be provided by the
Source context.

The system then
communicates with the Home AAA server specified in the Source context's AAA
configuration to authenticate the subscriber.

Upon successful
authentication, the
Source context determines which egress context to use for
the subscriber session. This process is described in the
How the
System Selects Contexts section located in the
Understanding the System Operation and Configuration
chapter of the
System
Administration Guide.

For this
example, the system determines that the egress context is the Destination
context based on the configuration of the
Default subscriber.

An IP address is
assigned to the subscriber's mobile node from an IP address pool configured in
the destination context. This IP address is used for the duration of the
session and then be returned to the pool.

Data traffic for
the subscriber session is then routed through the PDN interface in the
Destination context.

Accounting
messages for the session are sent to the AAA server over the AAA interface.

Example 3: HA Using
a Single Source Context and Multiple Outsourced Destination Contexts

The system allows
the wireless carrier to easily generate additional revenue by providing the
ability to configure separate contexts that can then be leased or outsourced to
various enterprises or ISPs, each having a specific domain.

In order to perform
the role of an HA and support multiple outsourced domains, the system must be
configured with at least one source context and multiple destination contexts
as shown in the following figure. The AAA servers could by owned/maintained by
either the carrier or the domain. If they are owned by the domain, the carrier
will have to receive the AAA information via proxy.

Figure 5. The system as
an HA Using a Single Source Context and Multiple Outsourced Destination
Contexts

The source context
will facilitate the HA service(s), and the Gi interface(s) to the FA(s).The
source context will also be configured with AAA interface(s) and to provide
Home AAA functionality for subscriber sessions. The destination contexts will
each be configured to facilitate PDN interfaces. In addition, because each of
the destination contexts can be outsourced to different domains, they will also
be configured with AAA interface(s) and to provide AAA functionality for that
domain.

In addition to the
source and destination contexts, there are additional system-level AAA
parameters that must be configured.

Information Required

Prior to configuring the system as shown in this example, there is a
minimum amount of information required. The following sections describe the
information required to configure the source and destination contexts.

Source Context Configuration

The following table lists the information that is required to
configure the source context.

Table 7 Required Information for Source Context Configuration

Required Information

Description

Source context name

An identification string from 1 to 79 characters
(alpha and/or numeric) by which the source context will be recognized by the
system.

Gi Interface Configuration

Gi interface name

An identification string between 1 and 79
characters (alpha and/or numeric) by which the interface will be recognized by
the system.

Multiple names are needed if multiple interfaces will be
configured.

Gi interfaces are configured in the destination context.

IP address and subnet

These will be assigned to the Gi interface.

Multiple addresses and/or subnets are needed if multiple
interfaces will be configured.

Physical port number

The physical port to which the interface will be
bound. Ports are identified by the chassis slot number where the line card
resides in, followed by the number of the physical connector on the line card.
For example, port 17/1 identifies connector number 1 on the card in slot 17.

A single physical port can facilitate multiple interfaces.

Physical port description

An identification string from 1 to 79 characters
(alpha and/or numeric) by which the physical port will be recognized by the
system.

Multiple descriptions are needed if multiple ports will be
used.

Physical ports are configured within the source context and
are used to bind logical Gn interfaces.

Gateway IP address

Used when configuring static routes from the Gi
interface(s) to a specific network.

HA service Configuration

HA service name

An identification string from 1 to 63 characters
(alpha and/or numeric) by which the HA service will be recognized by the
system.

Multiple names are needed if multiple HA services will be
used.

HA services are configured in the destination context.

UDP port number for Mobile IP traffic

The port used by the HA service and the FA for
communications. The UDP port number and can be any integer value from 1 to
65535. The default value is 434.

Mobile node re-registration requirements

Specifies how the system should handle
authentication for mobile node re-registrations.The HA service can be
configured as follows:

Always require
authentication

Never require
authentication
Important: The initial registration and
de-registration will still be handled normally)

Never look for
mn-aaa extension

Not require
authentication but will authenticate if mn-aaa extension present.

FA-to-HA Security Parameter Index
Information

FA IP address: The HA service allows the
creation of a security profile that can be associated with a particular FA.

This specifies the IP address of the FA that the HA service
will be communicating with.

Multiple FA addresses are needed if the HA will be
communicating with multiple FAs.

Index: Specifies the shared SPI between
the HA service and a particular FA. The SPI can be configured to any integer
value between 256 and 4294967295.

Multiple SPIs can be configured if the HA service is to
communicate with multiple FAs.

Secret: Specifies the shared SPI secret
between the HA service and the FA. The secret can be between 1 and 127
characters (alpha and/or numeric).

An SPI secret is required for each SPI configured.

Hash-algorithm: Specifies the algorithm
used to hash the SPI and SPI secret. The possible algorithms that can be
configured are MD5 per RFC 1321 and keyed-MD5 per RFC 2002. The default
algorithm is
hmac-md5.

A hash-algorithm is required for each SPI configured.

Mobile Node Security Parameter
Index Information

Index: Specifies the shared SPI between
the HA service and a particular FA. The SPI can be configured to any integer
value between 256 and 4294967295.

Multiple SPIs can be configured if the HA service is to
communicate with multiple FAs.

Secret: Specifies the shared SPI secret
between the HA service and the FA. The secret can be between 1 and 127
characters (alpha and/or numeric).

An SPI secret is required for each SPI configured.

Hash-algorithm: Specifies the algorithm
used to hash the SPI and SPI secret. The possible algorithms that can be
configured are MD5 per RFC 1321 and keyed-MD5 per RFC 2002. The default
algorithm is
hmac-md5.

A hash-algorithm is required for each SPI configured.

Replay-protection process: Specifies how
protection against replay-attacks is implemented. The possible processes are
nonce and timestamp. The default is timestamp with a tolerance of 60 seconds.

A replay-protection process is required for each mobile
node-to-HA SPI configured.

Maximum registration lifetime

Specifies the longest registration lifetime that
the HA service will allow in any Registration Request message from the mobile
node.

The time is measured in seconds and can be configured to any
integer value between 1 and 65535. An infinite registration lifetime can also
be configured by disabling the timer. The default is 600.

Maximum number of simultaneous bindings

Specifies the maximum number of "care-of"
addresses that can simultaneously be bound for the same user as identified by
NAI and Home address.

The number can be configured to any integer value between 1
and 5. The default is 3.

AAA Interface Configuration

AAA interface name

This is an identification string from 1 to 79
characters (alpha and/or numeric) by which the interface will be recognized by
the system.

Multiple names are needed if multiple interfaces will be
configured.

AAA interfaces will be configured in the source context.

IP address and subnet

These will be assigned to the AAA interface.

Multiple addresses and/or subnets are needed if multiple
interfaces will be configured.

Physical port number

This specifies the physical port to which the
interface will be bound. Ports are identified by the chassis slot number where
the line card resides in, followed by the number of the physical connector on
the line card. For example, port 17/1 identifies connector number 1 on the card
in slot 17.

A single physical port can facilitate multiple interfaces.

Physical port description

This is an identification string from 1 to 79
characters (alpha and/or numeric) by which the physical port will be recognized
by the system.

Multiple descriptions are needed if multiple ports will be
used.

Physical ports are used to bind logical AAA interfaces.

Gateway IP address

Used when configuring static routes from the AAA
interface(s) to a specific network.

Home RADIUS Server Configuration

Home RADIUS Authentication server

IP Address: Specifies the IP address of
the home RADIUS authentication server the system will communicate with to
provide subscriber authentication functions.

Multiple addresses are needed if multiple RADIUS servers.

Home RADIUS servers are configured with in the source context.
Multiple servers can be configured and each can be assigned a priority.

Shared Secret: The shared secret is a
string between 1 and 15 characters (alpha and/or numeric) that specifies the
key that is exchanged between the RADIUS authentication server and the source
context.

A shared secret is needed for each configured RADIUS server.

UDP Port Number: Specifies the port used
by the source context and the RADIUS authentication server for communications.
The UDP port number can be any integer value between 1 and 65535. The default
value is 1812.

Home RADIUS Accounting server
(optional)

IP Address: Specifies the IP address of
the home RADIUS accounting server that the source context will communicate with
to provide subscriber accounting functions.

Multiple addresses are needed if multiple RADIUS servers will
be configured.RADIUS accounting servers are configured within the source
context.

Multiple servers can be configured and each assigned a
priority.

Shared Secret: The shared secret is a
string between 1 and 15 characters (alpha and/or numeric) that specifies the
key that is exchanged between the home RADIUS accounting server and the source
context.

A shared secret is needed for each configured RADIUS server.

UDP Port Number: Specifies the port used
by the source context and the home RADIUS Accounting server for communications.
The UDP port number can be any integer value between 1 and 65535. The default
value is 1813.

RADIUS attribute NAS Identifier

Specifies the name by which the source context
will be identified in the Access-Request message(s) it sends to the RADIUS
server. The name must be from 1 to 32 alpha and/or numeric characters and is
case sensitive.

RADIUS NAS IP address

Specifies the IP address of the system's AAA
interface. A secondary address can be optionally configured.

Default Subscriber Configuration

"Default" subscriber's IP context name

Specifies the name of the egress context on the
system that facilitates the Gi interfaces.
Important: For this configuration, the IP context
name should be identical to the name of the destination context.

Destination Context Configuration

The following table lists the information required to configure the
destination context. This information will be required for each domain.

Table 8 Required Information for Destination Context Configuration
11

Required Information

Description

Destination context name

This is an identification string between 1 and
79 characters (alpha and/or numeric) by which the destination context will be
recognized by the system.NOTE: For this configuration, the destination
context name should
not match the domain name of a specific domain.

PDN Interface Configuration

PDN interface name

This is an identification string between 1 and
79 characters (alpha and/or numeric) by which the interface will be recognized
by the system.Multiple names are needed if multiple interfaces will be
configured.PDN interfaces are configured in the destination context.

IP address and subnet

These will be assigned to the PDN
interface.Multiple addresses and/or subnets are needed if multiple interfaces
will be configured.

Physical port number

This specifies the physical port to which the
interface will be bound. Ports are identified by the chassis slot number where
the line card resides in, followed by the number of the physical connector on
the line card. For example, port 17/1 identifies connector number 1 on the card
in slot 17.A single physical port can facilitate multiple interfaces.

Physical port description

This is an identification string between 1 and
79 characters (alpha and/or numeric) by which the physical port will be
recognized by the system.Multiple descriptions are needed if multiple ports
will be used.Physical ports are configured within the destination context and
are used to bind logical PDN interfaces.

Gateway IP address(es)

Used when configuring static routes from the PDN
interface(s) to a specific network.

IP Address Pool Configuration
(optional)

IP address pool name

Each IP address pool is identified by a name.
The pool name can be between 1 and 31 alpha and/or numeric characters and is
case sensitive.

IP address pools are configured in the destination context(s).
Multiple address pools can be configured within a single context.

IP pool addresses

An initial address and a subnet, or a starting
address and an ending address, are required for each configured pool. The pool
will then consist of every possible address within the subnet, or all addresses
from the starting address to the ending address.

The pool can be configured as public, private, or static.

AAA Interface Configuration

AAA interface name

This is an identification string from 1 to 79
characters (alpha and/or numeric) by which the interface will be recognized by
the system.

Multiple names are needed if multiple interfaces will be
configured.

IP address and subnet

These will be assigned to the AAA interface.

Multiple addresses and/or subnets are needed if multiple
interfaces will be configured.

Physical port number

This specifies the physical port to which the
interface will be bound. Ports are identified by the chassis slot number where
the line card resides in, followed by the number of the physical connector on
the line card. For example, port 17/1 identifies connector number 1 on the card
in slot 17.

A single physical port can facilitate multiple interfaces.

Physical port description

This is an identification string from 1 to 79
characters (alpha and/or numeric) by which the physical port will be recognized
by the system.

Multiple descriptions are needed if multiple ports will be
used.

Physical ports are used to bind logical AAA interfaces.

Gateway IP address

Used when configuring static routes from the AAA
interface(s) to a specific network.

RADIUS Server Configuration

RADIUS Authentication server

IP Address: Specifies the IP address of
the RADIUS authentication server the system will communicate with to provide
subscriber authentication functions.

Multiple addresses are needed if multiple RADIUS servers.

Foreign RADIUS servers are configured with in the source
context. Multiple servers can be configured and each can be assigned a
priority.

Shared Secret: The shared secret is a
string between 1 and 15 characters (alpha and/or numeric) that specifies the
key that is exchanged between the RADIUS authentication server and the source
context.

A shared secret is needed for each configured RADIUS server.

UDP Port Number: Specifies the port used
by the source context and the RADIUS authentication server for communications.
The UDP port number can be any integer value between 1 and 65535. The default
value is 1812.

RADIUS Accounting server (optional)

IP Address: Specifies the IP address of
the RADIUS accounting server that the source context will communicate with to
provide subscriber accounting functions.

Multiple addresses are needed if multiple RADIUS servers will
be configured.RADIUS accounting servers are configured within the source
context.

Multiple servers can be configured and each assigned a
priority.

Shared Secret: The shared secret is a
string between 1 and 15 characters (alpha and/or numeric) that specifies the
key that is exchanged between the RADIUS accounting server and the source
context.

A shared secret is needed for each configured RADIUS server.

UDP Port Number: Specifies the port used
by the source context and the RADIUS Accounting server for communications. The
UDP port number can be any integer value between 1 and 65535. The default value
is 1813.

RADIUS attribute NAS Identifier

Specifies the name by which the source context
will be identified in the Access-Request message(s) it sends to the RADIUS
server. The name must be from 1 to 32 alpha and/or numeric characters and is
case sensitive.

RADIUS NAS IP address

Specifies the IP address of the system's AAA
interface. A secondary address can be optionally configured.

System-Level AAA
Configuration

The following table
lists the information that is required to configure the system-level AAA
parameters.

Table 9 Required
Information for System-Level AAA Configuration

Required Information

Description

Subscriber default domain name

Specifies the name of a context that can provide AAA functions
in the event that the domain-part of the username is missing or poorly formed.

This
parameter will be applied to all subscribers if their domain can not be
determined from their username regardless of what domain they are trying to
access.

Important: The default domain name can be the same as the source context.

Subscriber Last-resort context

Specifies the name of a context that can provide AAA functions
in the event that the domain-part of the username was present but does not
match the name of a configured destination context

.This
parameter will be applied to all subscribers if their specified domain does not
match a configured destination context regardless of what domain they are
trying to access.

Important: The last-resort context name can be the same as the source
context.

Subscriber username format

Specifies the format of subscriber usernames as to whether or
not the username or domain is specified first and the character that separates
them. The possible separator characters are:

@

%

-

\

#

/

Up to six
username formats can be specified. The default is
username .

Important: The username string is searched from right to left for the
separator character. Therefore, if there is one or more separator characters in
the string, only the first one that is recognized is considered the actual
separator. For example, if the default username format was used, then for the
username string
user1enterpriseisp1, the system resolves to the username
user1enterprise with domain
isp1.

How This
Configuration Works

The following figure
and the text that follows describe how this configuration with a single source
and destination context would be used by the system to process a Mobile IP data
call.

Figure 6. Call Processing When Using the system as an HA with a Single
Source Context and Multiple Outsourced Destination Contexts

The system-level
AAA settings were configured as follows:

Subscriber
default domain name =
Domainx

Subscriber
username format =
username

No
subscriber last-resort context name was configured

The subscriber
IP context names were configured as follows:

Within the
Source context, the IP context name was configured as
Domainx

Within the
Domainx context, the IP context name was configured as
Domainx

Sessions are
received by the HA service from the FA over the Gi interface for
subscriber1Domain1, subscriber2, and
subscriber3Domain37.

The HA service
attempts to determine the domain names for each session.

For
subscriber1, the HA service determines that a domain name
is present and is
Domain1.

For
subscriber2, the HA service determines that no domain
name is present.

For
subscriber3, the HA service determines that a domain name
is present and is
Domain37.

The HA service
determines which context to use to provide AAA functionality for the session.
This process is described in the
How the
System Selects Contexts section located in the
Understanding the System Operation and Configuration
chapter of the
System
Administration Guide.

For
subscriber1, the HA service determines that a context was
configured with a name (Domain1) that matches the domain name specified in the
username string. Therefore,
Domain1 is used.

For
subscriber2, the HA service determines that
Domainx is configured as the default domain name.
Therefore,
Domainx is used.

For
subscriber3, the HA service determines that no context is
configured that matches the domain name (Domain37) specified in
the username string. Because no last-resort context name was configured, the
Source context is used.

The system then
communicates with the Home AAA server specified in the Source context's AAA
configuration to authenticate the subscriber.

Upon successful
authentication of all three subscribers, the HA service determines which
destination context to use for each of the subscriber sessions. This process is
described in the
How the
System Selects Contexts section located in the
Understanding the System Operation and Configuration
chapter of the
System
Administration Guide.

For
subscriber1, the HA service receives the
SN-VPN-NAME or
SN1-VPN-NAME attribute equal to
Domain1 as part of the Authentication Accept message from
the AAA server on
Domain1's network. Therefore,
Domain1 is used as the destination context.

For
subscriber2, the HA service determines that the
SN-VPN-NAME or
SN1-VPN-NAME attribute was not returned with the
Authentication Accept response, and determines the subscriber IP context name
configured within the
Domainx context. Therefore, the
Domainx context is used as the destination context.

For
subscriber3, the HA service determines that the
SN-VPN-NAME or
SN1-VPN-NAME attribute was not returned with the
Authentication Accept response, and determines the subscriber IP context name
configured within the
Source context. Therefore, the
Source context is used as the destination context.

Data traffic
for the subscriber session is then routed through the PDN interface in the each
subscriber's destination context.

Accounting
messages for the session are sent to the AAA server over the appropriate AAA
interface.